On Sat, 26 Mar 2005, Juergen Schmidt wrote:
> dnsmasq is vulnerable to cache poisoning.
Some additional information:
Don't panic. This is not directly related to the cache poisoning issues
that are actively exploited right now and that are known as pharming.
Pharming works like this: I control the authoritative name server
dns.evil.org for evil.org. I get your system to ask dns.evil.org for
http://www.evil.org (for example by sending an email from webmaster@...
and wait for the DNS check of your Mail server). I tell you the IP adress
of http://www.evil.org -- and by the way: I am in charge of the whole
.org-domain. If your server faithfully believes this claim, you have a
problem. The next time you want to go to http://www.ipcop.org, he is going to ask
dns.evil.org for the server in charge of ipcop.org -- and I'll give him
the IP adress of http://www.heisec.de ;-)
Now for dnsmasq: First, dnsmasq never talks to dns.evil.org. As a proxy it
sends all queries to the dns server of your provider. (If the dns server
of your provider is vulnerable, you have the very same problem. But
there's nothing dnsmasq can do about that). Second: even if dnsmasq gets
some dns answers from evil servers with those additional fields for a
whole domain, it will simply discard them (I checked this one).
The problem with dnsmasq is (as far as I can tell -- no guarantee):
dnsmasq sends a query for http://www.somewhere.org to the
dns server of your provider. This query has an id. If the answer comes back,
it checks the id. But it does not check, if the answer is for the right
question. So if a blind attacker floods your IP with faked dns answers for
http://www.ipcop.org he will eventually hit the id of an active query and his
fake answer is inserted into the cache. The next time you go to
http://www.ipcop.org dnsmasq takes this cached adress and sends you to
As ids take values from 1 to 65535 this is not an easy task, but I might
suceed if I manage to slow down the dns server of your provider and/or
get you to do a lot of dns queries (perhaps with a specially prepared web
site you visit that contains a lot of img-Tags).
So imho you should update dnsmasq as soon as possible.
Juergen Schmidt Chefredakteur heise Security http://www.heisec.de
Heise Zeitschriften Verlag, Helstorferstr. 7, D-30625 Hannover
Tel. +49 511 5352 300 FAX +49 511 5352 417 EMail ju@...
GPG-Key: 0x38EA4970, 5D7B 476D 84D5 94FF E7C5 67BE F895 0A18 38EA 4970